AlienVault Connector doesn't pull any data .

[CyberSentr]

Hello there ! Since 20 March 2024 my AlienVault connector has completely stopped working . I tried every troubleshooting variant possible , but no success so far . Things I did

• Updated OpenCTI
• Updated Docker
• Updated the connector image to 6.0.10
• Generated a fresh user inside the platform with its respective ID
• Generated a fresh API key inside AlienVault OTX
• Subscribed to all relevant Pulses
• Assigned a high confidence level
• Restarted the connector
• Composed it again
• Successfully reached API with curl and pulled over 300k indicators

I'm really running out of options here. Interestingly, the same configuration is working perfectly fine on my colleague's setup. I'm confident that my Docker implementation is solid.

Docker container logs

Docker-compose configuration connector-alienvault: image: opencti/connector-alienvault:6.0.10 environment:

• OPENCTI_URL=https://URL
• OPENCTI_TOKEN=f9eeb6aa-4423-4423-af8a-xxxxxxxxxxxx
• CONNECTOR_ID=89df23ff-be0f-4971-91aa-xxxxxxxxxxxxx
• CONNECTOR_TYPE=EXTERNAL_IMPORT
• CONNECTOR_NAME=AlienVault
• CONNECTOR_SCOPE=alienvault
• CONNECTOR_CONFIDENCE_LEVEL=85 # From 0 (Unknown) to 100 (Fully trusted)
• CONNECTOR_UPDATE_EXISTING_DATA=false
• CONNECTOR_LOG_LEVEL=info
• ALIENVAULT_BASE_URL=https://otx.alienvault.com
• ALIENVAULT_API_KEY=${ALIENVAULT_API_KEY}
• ALIENVAULT_TLP=White
• ALIENVAULT_CREATE_OBSERVABLES=true
• ALIENVAULT_CREATE_INDICATORS=true
• ALIENVAULT_PULSE_START_TIMESTAMP=2020-05-01T00:00:00 # BEWARE! Could be a lot of pulses!
• ALIENVAULT_REPORT_TYPE=threat-report
• ALIENVAULT_REPORT_STATUS=NEW
• ALIENVAULT_GUESS_MALWARE=true # Use tags to guess malware.
• ALIENVAULT_GUESS_CVE=true # Use tags to guess CVE.
• ALIENVAULT_EXCLUDED_PULSE_INDICATOR_TYPES=FileHash-MD5,FileHash-SHA1 # Excluded Pulse indicator types.
• ALIENVAULT_ENABLE_RELATIONSHIPS=true # Enable/Disable relationship creation between SDOs.
• ALIENVAULT_ENABLE_ATTACK_PATTERNS_INDICATES=true # Enable/Disable "indicates" relationships between indicators and attack patterns
• ALIENVAULT_INTERVAL_SEC=500 restart: always depends_on:
• opencti

CTI version : 6.0.5 ( Standalone architecture , 1 node deployment ) Docker version : 26.0.1, build d260a54

Any help would be greatly appreciated ! Have a nice day !

[CyberSentr]

Update : Error popped up in the logs this morning : {"timestamp": "2024-04-19T06:25:06.577465Z", "level": "ERROR", "name": "AlienVault", "message": "Error pinging the API", "exc_info": "Traceback (most recent call last):\n File \"/usr/local/lib/python3.11/site-packages/pycti/connector/opencti_connector_helper.py\", line 442, in ping\n result = self.api.connector.ping(self.connector_id, initial_state)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/usr/local/lib/python3.11/site-packages/pycti/api/opencti_api_connector.py\", line 63, in ping\n result = self.api.query(\n ^^^^^^^^^^^^^^^\n File \"/usr/local/lib/python3.11/site-packages/pycti/api/opencti_api_client.py\", line 353, in query\n raise ValueError(\nValueError: {'name': 'DATABASE_ERROR', 'message': 'Update indexing fail'}", "attributes": {"reason": "{'name': 'DATABASE_ERROR', 'message': 'Update indexing fail'}"}}

[CyberSentr]

Update : Updated OpenCTI deployment to 6.0.10 , same issue

[helene-nguyen]

Hi @CyberSentr! May I help you with this error message.

{'name': 'DATABASE_ERROR', 'message': 'Update indexing fail'}", "attributes": {"reason": "{'name': 'DATABASE_ERROR', 'message': 'Update indexing fail'}"}}

This error indicates an error on your database and not with AlienVault directly. I will ask to my team and give you an update soon :)

[helene-nguyen]

@CyberSentr sorry for the late answer, after some investigations, the Update indexing fail means that there is a data in the database that cannot be updated. Does the error block your OpenCTI deployment?